Cybersecurity researchers have discovered a new malware strain that uses a built-in component of Microsoft Windows operating system named Windows Background Intelligent Transfer Service (BITS) to run additional code or to stealthily exfiltrate stolen data to remote server. The new backdoor dubbed Win32/StealthFalcon by ESET appears to be the work of notorious state-sponsored cyber-espionage group called StealthFalcon. The first report on this group’s activity has been released in 2016 by Citizen Lab, a non-profit organization which focuses on security and human rights. According to the analysis, Stealth Falcon, which has been active since 2012, primarily targets political activists and journalists in the Middle East. In January 2019 Amnesty International said it believed that Stealth Falcon and a similar cyber-espionage initiative named Project Raven were actually the same group.
In previous attacks the group used a stealthy PowerShell-based backdoor, distributed via a weaponized document that was included in a malicious email, but it appears that the hackers have ditched the tool in favor of an even stealthier backdoor that uses the Windows BITS system to communicate with its command-and-control (C&C) server. BITS service is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares.
“It is commonly used by updaters, messengers, and other applications designed to operate in the background. This means that BITS tasks are more likely to be permitted by host-based firewalls,” the ESET research team explained.
Win32/StealthFalcon, which appears to have been created back in 2015, is a DLL file which, after execution, schedules itself as a task running on each user login. It has only basic functions such as capabilities to collect/exfiltrate information, run additional malicious tools and update it configuration. ESET’s report didn’t provide the information about how the backdoor is delivered and executed on infected systems.
Additionally, the researchers have found an interesting function that is executed before any malicious payload is started.
“It references 300+ imports, but does not use them at all. Instead, it always returns and continues with the payload afterward, without condition checks that would suggest it is an anti-emulation trick,” reads the report. The experts believe that this function is either used as an attempt to avoid detection or is a leftover part from a larger framework used by the malware authors.
Both Win32/StealthFalcon and the PowerShell-based backdoor described in the Citizen Lab analysis share the same C&C server domain (windowsearchcache[.]com), and both share similarities in code.
“Both backdoors display significant similarities in code – although they are written in different languages, the underlying logic is preserved. Both use hardcoded identifiers (most probably campaign ID/target ID). In both cases, all network communication from the compromised host is prefixed with these identifiers and encrypted with RC4 using a hardcoded key. For their C&C server communication, they both use HTTPS but set specific flags for the connection to ignore the server certificate,” the researchers added.
Indicators of Compromise (IoCs), including a list of C&C servers used in this campaign are provided in the last part of ESET’s report.